Splunk Enterprise
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Ask a Question

Splunk Docker Keeps Receiving Events When Forwarder is Off

tkraft
New Member
‎02-03-2020 11:31 AM

I recently setup a Docker implementation on a Test Server (CentOS 8). Pulled down the Splunk Base Enterprise container and got it working with no issues. Obviously there were no events going to it since I hadn't pulled a universal forwarder yet. So I pulled down the UF and got it working too and events started flowing into my Splunk base container - all was good. Then I shut down the server and have several times since but when I start the base Splunk container and leave the forwarder off - I am still getting events flowing into base Splunk container. It doesn't seem to matter if I start the forwarder or leave it off - I still get events. Is this normal behavior? I cannot find any documentation on why I would still be getting events with the forwarder off.

Tags (1)
0 Karma
Reply

13tsavage
Communicator
‎02-03-2020 11:59 AM

Yes this is 100000% normal because Splunk is continuously monitoring itself. Even though your universal forwarder container is turned off and/or not sending data to your base Splunk container, that base Splunk container continues to ingest data from itself.

See this Splunk Docs page on What Splunk software logs about itself

0 Karma
Reply
Get Updates on the Splunk Community!

Extending Observability Content to Splunk Cloud

Watch Now!   In this Extending Observability Content to Splunk Cloud Tech Talk, you'll see how to leverage ...

More Control Over Your Monitoring Costs with Archived Metrics!

What if there was a way you could keep all the metrics data you need while saving on storage costs?This is now ...

New in Observability Cloud - Explicit Bucket Histograms

Splunk introduces native support for histograms as a metric data type within Observability Cloud with Explicit ...